基于Python的Snake信息窃取器攻击Facebook用户

Facebook messages are being used by threat actors to a Python-based information stealer dubbed Snake that's designed to capture credentials and other sensitive data.

Facebook消息正被威胁行为者用于一种名为Snake的基于Python的信息窃取软件，其设计用于捕获凭据和其他敏感数据。

"The credentials harvested from unsuspecting users are transmitted to different platforms such as Discord, GitHub, and Telegram," Cybereason researcher Kotaro Ogino said in a technical report.

"从毫无戒心的用户那里收集的凭据被传输到不同的平台，如Discord、GitHub和Telegram，" Cybereason研究员Kotaro Ogino在一份技术报告中说。

Details about the campaign first emerged on the social media platform X in August 2023. The attacks entail sending prospective users seemingly innocuous RAR or ZIP archive files that, upon opening, activate the infection sequence.

关于这一活动的细节最早于2023年8月在社交媒体平台X上首次出现。这些攻击包括向潜在用户发送看似无害的RAR或ZIP存档文件，打开后会激活感染序列。

The intermediate stages involve two downloaders – a batch script and a cmd script – with the latter responsible for downloading and executing the information stealer from an actor-controlled GitLab repository.

中间阶段涉及两个下载器 - 一个批处理脚本和一个cmd脚本 - 后者负责从受控GitLab存储库下载并执行信息窃取软件。

Cybereason said it detected three different variants of the stealer, the third one being an executable assembled by PyInstaller. The malware, for its part, is designed to gather data from different web browsers, including Cốc Cốc, suggesting a Vietnamese focus.

Cybereason表示，它检测到三个不同的窃取者变体，第三个是由PyInstaller组装的可执行文件。该恶意软件旨在从不同的网络浏览器中收集数据，包括Cốc Cốc，这表明它专注于越南。

The collected information, which comprises credentials and cookies, is then exfiltrated in the form of a ZIP archive via the Telegram Bot API. The stealer is also designed to dump cookie information specific to Facebook, an indication that the threat actor is likely looking to hijack the accounts for their own purposes.

收集的信息，包括凭据和cookies，随后以ZIP存档的形式通过Telegram Bot API外传。该窃取者还设计用于转储特定于Facebook的cookie信息，这表明威胁行为者很可能是为了自己的目的而试图劫持这些帐户。

The Vietnamese connection is further bolstered by the naming convention of the GitHub and GitLab repositories and the fact that the source code contains references to the Vietnamese language.

越南的联系进一步得到加强，GitHub和GitLab存储库的命名约定以及源代码中包含有关越南语的引用。

"All of the variants support Cốc Cốc Browser, which is a well known Vietnamese Browser used widely by the Vietnamese community," Ogino said.

"所有变体都支持Cốc Cốc浏览器，这是越南社区广泛使用的著名越南浏览器，" Ogino说。

Over the past year, multiple information stealers targeting Facebook cookies have appeared in the wild, counting S1deload Stealer, MrTonyScam, NodeStealer, and VietCredCare.

在过去一年中，有多种针对Facebook cookie的信息窃取软件出现在野外，其中包括S1deload Stealer、MrTonyScam、NodeStealer和VietCredCare。

The development comes as Meta has come under criticism in the U.S. for failing to assist victims whose accounts have been hacked into, calling on the company to take immediate action to address a "dramatic and persistent spike" in account takeover incidents.

这一发展发生在Meta因未能帮助那些帐户被黑客攻击的受害者而在美国受到批评，呼吁该公司立即采取行动解决账户被接管事件的"显著和持续增加"。

It also follows a discovery that threat actors are "using a cloned game cheat website, SEO poisoning, and a bug in GitHub to trick would-be-game-hackers into running Lua malware," according to OALABS Research.

这也是在发现威胁行为者"利用克隆的游戏作弊网站、SEO投毒和GitHub的漏洞来欺骗潜在的游戏作弊者运行Lua恶意软件"后发生的，根据OALABS研究。

Specifically, the malware operators are leveraging a GitHub vulnerability that allows an uploaded file associated with an issue on a repository to persist even in scenarios where the issue is never saved.

具体来说，恶意软件运营商正在利用一个GitHub漏洞，该漏洞允许与存储库上的问题相关联的上传文件即使问题从未保存也可以持久存在。

"This means that anyone can upload a file to any git repository on GitHub, and not leave any trace that the file exists except for the direct link," the researchers said, adding the malware comes fitted with capabilities for command-and-control (C2) communications.

"这意味着任何人都可以上传文件到GitHub上的任何git存储库，并且除了直接链接外不会留下文件存在的任何痕迹，"研究人员表示，该恶意软件配备了用于命令和控制（C2）通信的功能。

参考资料

[1]https://thehackernews.com/2024/03/new-python-based-snake-info-stealer.html

关注我们

        欢迎来到我们的公众号！我们专注于全球网络安全和精选双语资讯，为您带来最新的资讯和深入的分析。在这里，您可以了解世界各地的网络安全事件，同时通过我们的双语新闻，获取更多的行业知识。感谢您选择关注我们，我们将继续努力，为您带来有价值的内容。

原文始发于微信公众号（知机安全）：基于Python的Snake信息窃取器攻击Facebook用户